From acf7a7d2186d94ad48acc27d3e55b6ee94619c45 Mon Sep 17 00:00:00 2001
From: Tom Prince <tom.prince@private.storage>
Date: Wed, 25 Aug 2021 11:03:22 -0600
Subject: [PATCH] stuff
---
morph/grid/local/README.rst | 15 ++++
morph/grid/local/arion-compose.nix | 78 +++++++++++++++++++++
morph/grid/local/arion-pkgs.nix | 5 ++
morph/grid/local/grid.nix | 24 ++++---
morph/grid/local/public-keys/users.nix | 3 +-
morph/grid/local/secrets.nix | 24 +++++++
morph/grid/production/grid.nix | 12 ++--
morph/grid/testing/grid.nix | 12 ++--
morph/lib/customize-issuer.nix | 49 ++-----------
morph/lib/customize-monitoring.nix | 21 ++----
morph/lib/customize-storage.nix | 25 +++----
morph/lib/default.nix | 1 +
morph/lib/deployment.nix | 24 +++++++
morph/lib/hardware-docker.nix | 33 +++++++++
morph/lib/hardware-virtual.nix | 64 +++++++++--------
morph/lib/issuer.nix | 95 ++++++++++++++------------
morph/lib/monitoring.nix | 2 +
morph/lib/storage.nix | 83 ++++++++++++----------
shell.nix | 3 +-
19 files changed, 373 insertions(+), 200 deletions(-)
create mode 100644 morph/grid/local/arion-compose.nix
create mode 100644 morph/grid/local/arion-pkgs.nix
create mode 100644 morph/grid/local/secrets.nix
create mode 100644 morph/lib/deployment.nix
create mode 100644 morph/lib/hardware-docker.nix
diff --git a/morph/grid/local/README.rst b/morph/grid/local/README.rst
index d30d8766..eb99d500 100644
--- a/morph/grid/local/README.rst
+++ b/morph/grid/local/README.rst
@@ -49,3 +49,18 @@ Use the local development environment
morph upload-secrets grid.nix
You should now be able to log in with the users and keys you set in your ``users.nix`` file.
+
+Docker environment
+``````````````````
+
+1. Enter the morph local grid directory::
+
+ cd morph/grid/local
+
+2. Enter the project's nix-shell::
+
+ nix-shell ../../../shell.nix
+
+3. Start the services::
+
+ arion up
diff --git a/morph/grid/local/arion-compose.nix b/morph/grid/local/arion-compose.nix
new file mode 100644
index 00000000..1f8eb209
--- /dev/null
+++ b/morph/grid/local/arion-compose.nix
@@ -0,0 +1,78 @@
+{lib, ...}:
+let
+ gridlib = import ../../lib;
+
+ rawConfig = lib.importJSON ./config.json;
+ config = rawConfig // {
+ sshUsers = import ./public-keys/users.nix;
+
+ # Convert relative paths to absolute so library code can resolve names
+ # correctly.
+ publicKeyPath = toString ./. + "/${rawConfig.publicKeyPath}";
+ privateKeyPath = toString ./. + "/${rawConfig.privateKeyPath}";
+ };
+
+ # Configure deployment management authorization for all systems in the grid.
+ deployment = {
+ services.private-storage.deployment = {
+ authorizedKey = builtins.readFile "${config.publicKeyPath}/deploy_key.pub";
+ gridName = "local";
+ };
+ services.private-storage.sshUsers = config.sshUsers;
+ deployment = {
+ inherit (config) publicKeyPath privateKeyPath;
+ };
+ };
+
+ node = { monitor-ip, public-ip }: { pkgs, lib, ...}: {
+ image.name = "localhost/nixos-test";
+ nixos.useSystemd = true;
+ service.useHostStore = true;
+ out.service = {
+ networks.privatestorage.ipv4_address = public-ip;
+ };
+ nixos.configuration = {
+ imports = [
+ # Include the module from morph, which defines the
+ # `deployment` option.
+ "${pkgs.morph.lib}/options.nix"
+ gridlib.hardware-docker
+ ./secrets.nix
+ deployment
+ ];
+ config = {
+ system.stateVersion = lib.mkDefault "19.09";
+ monitoringvpnIPv4 = monitor-ip;
+ };
+ };
+ };
+
+ storage-node = { monitor-ip, public-ip }@args: { pkgs, lib, ...}: {
+ imports = [ (node args) ];
+ nixos.configuration = {
+ imports = [
+ gridlib.storage
+ (gridlib.customize-storage config)
+ ];
+ };
+ };
+in
+{
+ services.storage1 = storage-node { monitor-ip = "172.23.23.12"; public-ip = "10.88.2.30"; };
+ services.storage2 = storage-node { monitor-ip = "172.23.23.13"; public-ip = "10.88.2.31"; };
+ services.payment = { pkgs, lib, ...}: {
+ imports = [ (node { monitor-ip = "172.23.23.11"; public-ip = "10.88.2.32"; }) ];
+ nixos.configuration = {
+ imports = [
+ gridlib.issuer
+ (gridlib.customize-issuer (config // {
+ monitoringvpnIPv4 = "172.23.23.11";
+ }))
+ ];
+ };
+ };
+ docker-compose.raw = {
+ networks.privatestorage = { name = "privatestorage"; external = true; };
+ volumes.nix = { name = "nix"; external = true; };
+ };
+}
diff --git a/morph/grid/local/arion-pkgs.nix b/morph/grid/local/arion-pkgs.nix
new file mode 100644
index 00000000..0c1f0648
--- /dev/null
+++ b/morph/grid/local/arion-pkgs.nix
@@ -0,0 +1,5 @@
+import <nixpkgs> {
+ # We specify the architecture explicitly. Use a Linux remote builder when
+ # calling arion from other platforms.
+ system = "x86_64-linux";
+}
diff --git a/morph/grid/local/grid.nix b/morph/grid/local/grid.nix
index 51f41832..e88111bd 100644
--- a/morph/grid/local/grid.nix
+++ b/morph/grid/local/grid.nix
@@ -18,56 +18,64 @@ let
authorizedKey = builtins.readFile "${config.publicKeyPath}/deploy_key.pub";
gridName = "local";
};
+ services.private-storage.sshUsers = config.sshUsers;
+ deployment = {
+ inherit (config) publicKeyPath privateKeyPath;
+ };
};
payments = {
imports = [
gridlib.issuer
- (gridlib.hardware-virtual ({ publicIPv4 = "192.168.67.21"; }))
+ gridlib.hardware-virtual
(gridlib.customize-issuer (config // {
monitoringvpnIPv4 = "172.23.23.11";
}))
deployment
];
+ hardware-virtual.publicIPv4 = "192.168.67.21";
};
storage1 = {
imports = [
gridlib.storage
- (gridlib.hardware-virtual ({ publicIPv4 = "192.168.67.22"; }))
+ gridlib.hardware-virtual
(gridlib.customize-storage (config // {
monitoringvpnIPv4 = "172.23.23.12";
- stateVersion = "19.09";
}))
deployment
];
+ hardware-virtual.publicIPv4 = "192.168.67.22";
+ system.stateVersion = "19.09";
};
storage2 = {
imports = [
gridlib.storage
- (gridlib.hardware-virtual ({ publicIPv4 = "192.168.67.23"; }))
+ gridlib.hardware-virtual
(gridlib.customize-storage (config // {
monitoringvpnIPv4 = "172.23.23.13";
- stateVersion = "19.09";
}))
deployment
];
+ hardware-virtual.publicIPv4 = "192.168.67.23";
+ system.stateVersion = "19.09";
};
monitoring = {
imports = [
gridlib.monitoring
- (gridlib.hardware-virtual ({ publicIPv4 = "192.168.67.24"; }))
+ gridlib.hardware-virtual
(gridlib.customize-monitoring {
inherit hostsMap vpnClientIPs nodeExporterTargets paymentExporterTargets;
- inherit (config) domain publicKeyPath privateKeyPath sshUsers letsEncryptAdminEmail;
+ inherit (config) domain letsEncryptAdminEmail;
googleOAuthClientID = config.monitoringGoogleOAuthClientID;
monitoringvpnIPv4 = "172.23.23.1";
- stateVersion = "19.09";
})
deployment
];
+ hardware-virtual.publicIPv4 = "192.168.67.24";
+ system.stateVersion = "19.09";
};
# TBD: derive these automatically:
diff --git a/morph/grid/local/public-keys/users.nix b/morph/grid/local/public-keys/users.nix
index 412077c0..e21002d4 100644
--- a/morph/grid/local/public-keys/users.nix
+++ b/morph/grid/local/public-keys/users.nix
@@ -1,4 +1,3 @@
# Add your public key. Example:
-# let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx7wJQNqKn8jOC4AxySRL2UxidNp7uIK9ad3pMb1ifF flo@fs-la";
-let key = undefined;
+let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx7wJQNqKn8jOC4AxySRL2UxidNp7uIK9ad3pMb1ifF flo@fs-la";
in { "root" = key; "vagrant" = key; }
diff --git a/morph/grid/local/secrets.nix b/morph/grid/local/secrets.nix
new file mode 100644
index 00000000..9866d6b8
--- /dev/null
+++ b/morph/grid/local/secrets.nix
@@ -0,0 +1,24 @@
+{ config, lib, pkgs, ... }@args:
+let
+ cfg = config.deployment;
+
+in {
+ # Force secrets to be in /etc/secrets instead of the default.
+ # Most modules default to `/run/keys` which is deleted on boot.
+ # Since the local private keys are in VCS anyway, this is safe.
+ options = {
+ deployment.secrets = lib.mkOption {
+ apply = lib.mapAttrs (k: v: v // {destination = "/etc/secrets/${k}";});
+ };
+ };
+
+ # Actually put the secrets into /etc/secrets
+ config = {
+ environment.etc = lib.mapAttrs'
+ (k: v: lib.nameValuePair "secrets/${k}" {
+ mode = "0444";
+ text = lib.readFile v.source;
+ })
+ cfg.secrets;
+ };
+}
diff --git a/morph/grid/production/grid.nix b/morph/grid/production/grid.nix
index 06eefdd2..3b5840d9 100644
--- a/morph/grid/production/grid.nix
+++ b/morph/grid/production/grid.nix
@@ -7,8 +7,6 @@ let
config = rawConfig // {
sshUsers = import ./public-keys/users.nix;
- # Convert relative paths to absolute so library code can resolve names
- # correctly.
publicKeyPath = toString ./. + "/${rawConfig.publicKeyPath}";
privateKeyPath = toString ./. + "/${rawConfig.privateKeyPath}";
};
@@ -19,6 +17,10 @@ let
authorizedKey = builtins.readFile "${config.publicKeyPath}/deploy_key.pub";
gridName = "production";
};
+ services.private-storage.sshUsers = config.sshUsers;
+ deployment = {
+ inherit (config) publicKeyPath privateKeyPath;
+ };
};
payments = {
@@ -38,13 +40,13 @@ let
gridlib.hardware-aws
(gridlib.customize-monitoring {
inherit hostsMap vpnClientIPs nodeExporterTargets paymentExporterTargets;
- inherit (config) domain publicKeyPath privateKeyPath sshUsers letsEncryptAdminEmail;
+ inherit (config) domain letsEncryptAdminEmail;
googleOAuthClientID = config.monitoringGoogleOAuthClientID;
monitoringvpnIPv4 = "172.23.23.1";
- stateVersion = "19.09";
})
deployment
];
+ system.stateVersion = "19.09";
};
defineStorageNode = name: { vpnIP, stateVersion }:
@@ -67,13 +69,13 @@ let
# Then customize the storage system a little bit based on this node's particulars.
(gridlib.customize-storage (config // nodecfg // {
monitoringvpnIPv4 = vpnIP;
- inherit stateVersion;
}))
# Also configure deployment management authorization
deployment
];
+ system.stateVersion = stateVersion;
# And supply configuration for those hardware / network / bootloader
# options. See the 100tb module for handling of this value. The module
# name is quoted because `1` makes `100tb` look an awful lot like a
diff --git a/morph/grid/testing/grid.nix b/morph/grid/testing/grid.nix
index 7b06c99e..09ab6fbf 100644
--- a/morph/grid/testing/grid.nix
+++ b/morph/grid/testing/grid.nix
@@ -7,8 +7,6 @@ let
config = rawConfig // {
sshUsers = import ./public-keys/users.nix;
- # Convert relative paths to absolute so library code can resolve names
- # correctly.
publicKeyPath = toString ./. + "/${rawConfig.publicKeyPath}";
privateKeyPath = toString ./. + "/${rawConfig.privateKeyPath}";
};
@@ -19,6 +17,10 @@ let
authorizedKey = builtins.readFile "${config.publicKeyPath}/deploy_key.pub";
gridName = "testing";
};
+ services.private-storage.sshUsers = config.sshUsers;
+ deployment = {
+ inherit (config) publicKeyPath privateKeyPath;
+ };
};
payments = {
@@ -39,10 +41,10 @@ let
./testing001-hardware.nix
(gridlib.customize-storage (config // {
monitoringvpnIPv4 = "172.23.23.12";
- stateVersion = "19.03";
}))
deployment
];
+ system.stateVersion = "19.03";
};
monitoring = {
@@ -51,13 +53,13 @@ let
gridlib.hardware-aws
(gridlib.customize-monitoring {
inherit hostsMap vpnClientIPs nodeExporterTargets paymentExporterTargets;
- inherit (config) domain publicKeyPath privateKeyPath sshUsers letsEncryptAdminEmail;
+ inherit (config) domain letsEncryptAdminEmail;
googleOAuthClientID = config.monitoringGoogleOAuthClientID;
monitoringvpnIPv4 = "172.23.23.1";
- stateVersion = "19.09";
})
deployment
];
+ system.stateVersion = "19.09";
};
# TBD: derive these automatically:
diff --git a/morph/lib/customize-issuer.nix b/morph/lib/customize-issuer.nix
index 1c0d668f..e71543f1 100644
--- a/morph/lib/customize-issuer.nix
+++ b/morph/lib/customize-issuer.nix
@@ -1,22 +1,9 @@
# Define a function which returns a value which fills in all the holes left by
# ``issuer.nix``.
{
- # A path on the deployment system of a directory containing all of the
- # public keys for the system. For example, this holds Wireguard public keys
- # for the VPN configuration and SSH public keys to configure SSH
- # authentication.
- publicKeyPath
-
- # A path on the deployment system of a directory containing all of the
- # corresponding private keys for the system.
-, privateKeyPath
-
# A string giving the IP address and port number (":"-separated) of the VPN
# server.
-, monitoringvpnEndpoint
-
- # A string giving the VPN IPv4 address for this system.
-, monitoringvpnIPv4
+ monitoringvpnEndpoint
# A string giving the domain name associated with this grid. This is meant
# to be combined with the hostname for this system to produce a
@@ -27,11 +14,6 @@
# ``payments.example-grid.invalid`` is the name of this system.
, domain
- # A set mapping usernames as strings to SSH public keys as strings. For
- # each element of the site, the indicated user is configured on the system
- # with the indicated SSH key as an authorized key.
-, sshUsers
-
# A string giving an email address to use for Let's Encrypt registration and
# certificate issuance.
, letsEncryptAdminEmail
@@ -45,7 +27,12 @@
, allowedChargeOrigins
, ...
}:
-{ config, ... }: {
+{ config, ... }:
+let
+ inherit (config.deployment) publicKeyPath privateKeyPath;
+ inherit (config) monitoringvpnIPv4;
+in {
+ imports = [ ./deployment.nix ];
# The morph default deployment target the name of the node in the network
# attrset. We don't always want to give the node its proper public address
# there (because it depends on which domain is associated with the grid
@@ -54,30 +41,8 @@
# qualified domain name.
deployment.targetHost = "${config.networking.hostName}.${config.networking.domain}";
- deployment.secrets = {
- # A path on the deployment system to a file containing the Ristretto
- # signing key. This is used as the source of the Ristretto signing key
- # morph secret.
- "ristretto-signing-key".source = "${privateKeyPath}/ristretto.signing-key";
-
- # A path on the deployment system to a file containing the Stripe secret
- # key. This is used as the source of the Stripe secret key morph secret.
- "stripe-secret-key".source = "${privateKeyPath}/stripe.secret";
-
- # ``.../monitoringvpn`` is a path on the deployment system of a directory
- # containing a number of VPN-related secrets. This is expected to contain
- # a number of files named like ``<VPN IPv4 address>.key`` containing the
- # VPN private key for the corresponding host. It must also contain
- # ``server.pub`` and ``preshared.key`` holding the VPN server's public key
- # and the pre-shared key, respectively. All of these things are used as
- # the sources of various VPN-related morph secrets.
- "monitoringvpn-secret-key".source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key";
- "monitoringvpn-preshared-key".source = "${privateKeyPath}/monitoringvpn/preshared.key";
- };
-
networking.domain = domain;
- services.private-storage.sshUsers = sshUsers;
services.private-storage.monitoring.vpn.client = {
enable = true;
ip = monitoringvpnIPv4;
diff --git a/morph/lib/customize-monitoring.nix b/morph/lib/customize-monitoring.nix
index 391aa560..6a811865 100644
--- a/morph/lib/customize-monitoring.nix
+++ b/morph/lib/customize-monitoring.nix
@@ -9,11 +9,8 @@
hostsMap
# See ``customize-issuer.nix``.
-, publicKeyPath
-, privateKeyPath
, monitoringvpnIPv4
, domain
-, sshUsers
, letsEncryptAdminEmail
# A list of VPN IP addresses as strings indicating which clients will be
@@ -36,11 +33,13 @@
# logins to Grafana.
, googleOAuthClientID
- # A string giving the NixOS state version for the system.
-, stateVersion
, ...
}:
-{ config, ... }: {
+{ config, ... }:
+let
+ inherit (config.deployment) publicKeyPath privateKeyPath;
+in {
+ imports = [ ./deployment.nix ];
# See customize-issuer.nix for an explanatoin of targetHost value.
deployment.targetHost = "${config.networking.hostName}.${config.networking.domain}";
@@ -75,18 +74,12 @@
action = ["sudo" "systemctl" "restart" "grafana.service"];
};
};
- monitoringvpn = {
- "monitoringvpn-private-key".source = "${privateKeyPath}/monitoringvpn/server.key";
- "monitoringvpn-preshared-key".source = "${privateKeyPath}/monitoringvpn/preshared.key";
- };
in
- grafanaSSO // monitoringvpn;
+ grafanaSSO;
networking.domain = domain;
networking.hosts = hostsMap;
- services.private-storage.sshUsers = sshUsers;
-
services.private-storage.monitoring.vpn.server = {
enable = true;
ip = monitoringvpnIPv4;
@@ -105,6 +98,4 @@
inherit googleOAuthClientID;
domain = "${config.networking.hostName}.${config.networking.domain}";
};
-
- system.stateVersion = stateVersion;
}
diff --git a/morph/lib/customize-storage.nix b/morph/lib/customize-storage.nix
index 68655874..80510125 100644
--- a/morph/lib/customize-storage.nix
+++ b/morph/lib/customize-storage.nix
@@ -2,11 +2,7 @@
# ``storage.nix``.
{
# See ``customize-issuer.nix``
- privateKeyPath
-, publicKeyPath
-, monitoringvpnEndpoint
-, monitoringvpnIPv4
-, sshUsers
+ monitoringvpnEndpoint
, domain
# An integer giving the value of a single pass in byte×months.
@@ -16,24 +12,21 @@
# advertisements and on which to listen for storage connections.
, publicStoragePort
- # A string giving the NixOS state version for the system.
-, stateVersion
, ...
}:
-{ config, ... }: {
+{ config, ... }:
+let
+ inherit (config.deployment) publicKeyPath privateKeyPath;
+ inherit (config) monitoringvpnIPv4;
+in {
+ imports = [ ./deployment.nix ];
# See customize-issuer.nix for an explanatoin of targetHost value.
deployment.targetHost = "${config.networking.hostName}.${config.networking.domain}";
- deployment.secrets = {
- "ristretto-signing-key".source = "${privateKeyPath}/ristretto.signing-key";
- "monitoringvpn-secret-key".source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key";
- "monitoringvpn-preshared-key".source = "${privateKeyPath}/monitoringvpn/preshared.key";
- };
-
networking.domain = domain;
services.private-storage = {
- inherit sshUsers passValue publicStoragePort;
+ inherit passValue publicStoragePort;
};
services.private-storage.monitoring.vpn.client = {
@@ -42,6 +35,4 @@
endpoint = monitoringvpnEndpoint;
endpointPublicKeyFile = "${publicKeyPath}/monitoringvpn/server.pub";
};
-
- system.stateVersion = stateVersion;
}
diff --git a/morph/lib/default.nix b/morph/lib/default.nix
index bdd92f4b..3c620a04 100644
--- a/morph/lib/default.nix
+++ b/morph/lib/default.nix
@@ -4,6 +4,7 @@
{
hardware-aws = import ./issuer-aws.nix;
hardware-virtual = import ./hardware-virtual.nix;
+ hardware-docker = import ./hardware-docker.nix;
issuer = import ./issuer.nix;
customize-issuer = import ./customize-issuer.nix;
diff --git a/morph/lib/deployment.nix b/morph/lib/deployment.nix
new file mode 100644
index 00000000..0e4fc8b0
--- /dev/null
+++ b/morph/lib/deployment.nix
@@ -0,0 +1,24 @@
+
+{ lib, config, ... }:
+let
+ cfg = config.hardware-virtual;
+in {
+ options.deployment = {
+ publicKeyPath = lib.mkOption {
+ type = lib.types.path;
+ description = ''
+ A path on the deployment system of a directory containing all of the
+ public keys for the system. For example, this holds Wireguard public keys
+ for the VPN configuration and SSH public keys to configure SSH
+ authentication.
+ '';
+ };
+ privateKeyPath = lib.mkOption {
+ type = lib.types.path;
+ description = ''
+ A path on the deployment system of a directory containing all of the
+ corresponding private keys for the system.
+ '';
+ };
+ };
+}
diff --git a/morph/lib/hardware-docker.nix b/morph/lib/hardware-docker.nix
new file mode 100644
index 00000000..7dc35a9f
--- /dev/null
+++ b/morph/lib/hardware-docker.nix
@@ -0,0 +1,33 @@
+{ modulesPath, pkgs, config, lib, ... }:
+let
+in {
+ imports = [
+ "${modulesPath}/virtualisation/docker-image.nix"
+ ];
+
+ config = {
+ environment.systemPackages = with pkgs; [
+ bashInteractive
+ ];
+
+ nix.readOnlyStore = false;
+ boot.postBootCommands = lib.mkBefore ''
+ mkdir -p /run/systemd
+ '';
+ # From https://github.com/hercules-ci/arion/blob/master/src/nix/modules/nixos/container-systemd.nix
+
+ boot.isContainer = true;
+ boot.specialFileSystems = lib.mkForce {};
+
+ services.journald.console = "/dev/console";
+
+ systemd.services.systemd-logind.enable = false;
+ systemd.services.console-getty.enable = false;
+
+ systemd.sockets.nix-daemon.enable = lib.mkDefault false;
+ systemd.services.nix-daemon.enable = lib.mkDefault false;
+ # From https://github.com/hercules-ci/arion/blob/master/examples/full-nixos/arion-compose.nix
+ services.nscd.enable = false;
+ system.nssModules = lib.mkForce [];
+ };
+}
diff --git a/morph/lib/hardware-virtual.nix b/morph/lib/hardware-virtual.nix
index cf158279..37a1a12e 100644
--- a/morph/lib/hardware-virtual.nix
+++ b/morph/lib/hardware-virtual.nix
@@ -1,36 +1,46 @@
-{ publicIPv4, ... }:
-{
+{ lib, config, ... }:
+let
+ cfg = config.hardware-virtual;
+in {
imports = [ ./vagrant-guest.nix ];
+ options.hardware-virtual = {
+ publicIPv4 = lib.mkOption {
+ type = lib.types.str;
+ example = lib.literalExample "192.0.2.0";
+ };
+ };
- virtualisation.virtualbox.guest.enable = true;
+ config = {
+ virtualisation.virtualbox.guest.enable = true;
- # Use the GRUB 2 boot loader.
- boot.loader.grub.enable = true;
- boot.loader.grub.version = 2;
- boot.loader.grub.device = "/dev/sda";
+ # Use the GRUB 2 boot loader.
+ boot.loader.grub.enable = true;
+ boot.loader.grub.version = 2;
+ boot.loader.grub.device = "/dev/sda";
- boot.initrd.availableKernelModules = [ "ata_piix" "sd_mod" "sr_mod" ];
- boot.initrd.kernelModules = [ ];
- boot.kernel.sysctl = { "vm.swappiness" = 0; };
- boot.kernelModules = [ ];
- boot.extraModulePackages = [ ];
+ boot.initrd.availableKernelModules = [ "ata_piix" "sd_mod" "sr_mod" ];
+ boot.initrd.kernelModules = [ ];
+ boot.kernel.sysctl = { "vm.swappiness" = 0; };
+ boot.kernelModules = [ ];
+ boot.extraModulePackages = [ ];
- # remove the fsck that runs at startup. It will always fail to run, stopping
- # your boot until you press *.
- boot.initrd.checkJournalingFS = false;
+ # remove the fsck that runs at startup. It will always fail to run, stopping
+ # your boot until you press *.
+ boot.initrd.checkJournalingFS = false;
- networking.interfaces.enp0s8.ipv4.addresses = [{
- address = publicIPv4;
- prefixLength = 24;
- }];
+ networking.interfaces.enp0s8.ipv4.addresses = [{
+ address = cfg.publicIPv4;
+ prefixLength = 24;
+ }];
- fileSystems."/storage" = { fsType = "tmpfs"; };
- fileSystems."/" =
- { device = "/dev/sda1";
- fsType = "ext4";
- };
- swapDevices = [ ];
+ fileSystems."/storage" = { fsType = "tmpfs"; };
+ fileSystems."/" =
+ { device = "/dev/sda1";
+ fsType = "ext4";
+ };
+ swapDevices = [ ];
- # We want to push packages with morph without having to sign them
- nix.trustedUsers = [ "@wheel" "root" "vagrant" ];
+ # We want to push packages with morph without having to sign them
+ nix.trustedUsers = [ "@wheel" "root" "vagrant" ];
+ };
}
diff --git a/morph/lib/issuer.nix b/morph/lib/issuer.nix
index f617eef1..9b62a808 100644
--- a/morph/lib/issuer.nix
+++ b/morph/lib/issuer.nix
@@ -4,41 +4,12 @@
# statically known. This value is suitable for use as a module to be imported
# into a more complete system configuration. It is expected that the holes
# will be filled by a sibling module created by ``customize-issuer.nix``.
-{ config, ...}:
-{
- deployment = {
- secrets = {
- "ristretto-signing-key" = {
- destination = "/run/keys/ristretto.signing-key";
- owner.user = "root";
- owner.group = "root";
- permissions = "0400";
- action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
- };
- "stripe-secret-key" = {
- destination = "/run/keys/stripe.secret-key";
- owner.user = "root";
- owner.group = "root";
- permissions = "0400";
- action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
- };
-
- "monitoringvpn-secret-key" = {
- destination = "/run/keys/monitoringvpn/client.key";
- owner.user = "root";
- owner.group = "root";
- permissions = "0400";
- action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
- };
- "monitoringvpn-preshared-key" = {
- destination = "/run/keys/monitoringvpn/preshared.key";
- owner.user = "root";
- owner.group = "root";
- permissions = "0400";
- action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
- };
- };
- };
+{ lib, config, ...}:
+let
+ inherit (config.deployment) publicKeyPath privateKeyPath;
+ inherit (config) monitoringvpnIPv4;
+in {
+ options.monitoringvpnIPv4 = lib.mkOption {};
imports = [
# Allow us to remotely trigger updates to this system.
@@ -49,12 +20,52 @@
../../nixos/modules/monitoring/exporters/node.nix
];
- services.private-storage-issuer = {
- enable = true;
- tls = true;
- ristrettoSigningKeyPath = config.deployment.secrets.ristretto-signing-key.destination;
- stripeSecretKeyPath = config.deployment.secrets.stripe-secret-key.destination;
- database = "SQLite3";
- databasePath = "/var/db/vouchers.sqlite3";
+ config = {
+ deployment = {
+ secrets = {
+ "ristretto-signing-key" = {
+ destination = "/run/keys/ristretto.signing-key";
+ source = "${privateKeyPath}/ristretto.signing-key";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
+ };
+ "stripe-secret-key" = {
+ destination = "/run/keys/stripe.secret-key";
+ source = "${privateKeyPath}/stripe.secret";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
+ };
+
+ "monitoringvpn-secret-key" = {
+ destination = "/run/keys/monitoringvpn/client.key";
+ source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+ };
+ "monitoringvpn-preshared-key" = {
+ destination = "/run/keys/monitoringvpn/preshared.key";
+ source = "${privateKeyPath}/monitoringvpn/preshared.key";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+ };
+ };
+ };
+
+ services.private-storage-issuer = {
+ enable = true;
+ tls = true;
+ ristrettoSigningKeyPath = config.deployment.secrets.ristretto-signing-key.destination;
+ stripeSecretKeyPath = config.deployment.secrets.stripe-secret-key.destination;
+ database = "SQLite3";
+ databasePath = "/var/db/vouchers.sqlite3";
+ };
};
}
diff --git a/morph/lib/monitoring.nix b/morph/lib/monitoring.nix
index 7d59c296..8dedab10 100644
--- a/morph/lib/monitoring.nix
+++ b/morph/lib/monitoring.nix
@@ -5,6 +5,7 @@
secrets = {
"monitoringvpn-private-key" = {
destination = "/run/keys/monitoringvpn/server.key";
+ source = "${privateKeyPath}/monitoringvpn/server.key";
owner.user = "root";
owner.group = "root";
permissions = "0400";
@@ -12,6 +13,7 @@
};
"monitoringvpn-preshared-key" = {
destination = "/run/keys/monitoringvpn/preshared.key";
+ source = "${privateKeyPath}/monitoringvpn/preshared.key";
owner.user = "root";
owner.group = "root";
permissions = "0400";
diff --git a/morph/lib/storage.nix b/morph/lib/storage.nix
index 52be8136..a127e089 100644
--- a/morph/lib/storage.nix
+++ b/morph/lib/storage.nix
@@ -1,35 +1,11 @@
# Similar to ``issuer.nix`` but for a "storage"-type system. Holes are filled
# by ``customize-storage.nix``.
-{ config, ...} :
-{
- deployment = {
- secrets = {
- "ristretto-signing-key" = {
- destination = "/run/keys/ristretto.signing-key";
- owner.user = "root";
- owner.group = "root";
- permissions = "0400";
- # Service name here matches the name defined by our tahoe-lafs nixos
- # module. It would be nice to not have to hard-code it here. Can we
- # extract it from the tahoe-lafs nixos module somehow?
- action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
- };
- "monitoringvpn-secret-key" = {
- destination = "/run/keys/monitoringvpn/client.key";
- owner.user = "root";
- owner.group = "root";
- permissions = "0400";
- action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
- };
- "monitoringvpn-preshared-key" = {
- destination = "/run/keys/monitoringvpn/preshared.key";
- owner.user = "root";
- owner.group = "root";
- permissions = "0400";
- action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
- };
- };
- };
+{ lib, config, ...} :
+let
+ inherit (config.deployment) publicKeyPath privateKeyPath;
+ inherit (config) monitoringvpnIPv4;
+in {
+ options.monitoringvpnIPv4 = lib.mkOption {};
# Any extra NixOS modules to load on this server.
imports = [
@@ -42,13 +18,48 @@
../../nixos/modules/monitoring/vpn/client.nix
# Expose base system metrics over the monitoringvpn.
../../nixos/modules/monitoring/exporters/node.nix
+ ./deployment.nix
];
- # Turn on the Private Storage (Tahoe-LAFS) service.
- services.private-storage = {
- # Yep. Turn it on.
- enable = true;
- # Give it the Ristretto signing key to support authorization.
- ristrettoSigningKeyPath = config.deployment.secrets.ristretto-signing-key.destination;
+ config = {
+ deployment = {
+ secrets = {
+ "ristretto-signing-key" = {
+ destination = "/run/keys/ristretto.signing-key";
+ source = "${privateKeyPath}/ristretto.signing-key";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ # Service name here matches the name defined by our tahoe-lafs nixos
+ # module. It would be nice to not have to hard-code it here. Can we
+ # extract it from the tahoe-lafs nixos module somehow?
+ action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
+ };
+ "monitoringvpn-secret-key" = {
+ destination = "/run/keys/monitoringvpn/client.key";
+ source = "${privateKeyPath}/monitoringvpn/${monitoringvpnIPv4}.key";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+ };
+ "monitoringvpn-preshared-key" = {
+ destination = "/run/keys/monitoringvpn/preshared.key";
+ source = "${privateKeyPath}/monitoringvpn/preshared.key";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+ };
+ };
+ };
+
+ # Turn on the Private Storage (Tahoe-LAFS) service.
+ services.private-storage = {
+ # Yep. Turn it on.
+ enable = true;
+ # Give it the Ristretto signing key to support authorization.
+ ristrettoSigningKeyPath = config.deployment.secrets.ristretto-signing-key.destination;
+ };
};
}
diff --git a/shell.nix b/shell.nix
index f3d2750e..09a57466 100644
--- a/shell.nix
+++ b/shell.nix
@@ -5,8 +5,9 @@ in
pkgs.mkShell {
NIX_PATH = "nixpkgs=${pkgs.path}";
buildInputs = [
+ pkgs.arion
+ pkgs.jp
pkgs.morph
pkgs.vagrant
- pkgs.jp
];
}
--
GitLab